-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Jack Farzan
committed
Jul 18, 2024
1 parent
5d336f7
commit 38b6030
Showing
1 changed file
with
13 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,3 +7,16 @@ This C2PA open-source library is maintained in partnership with Adobe. At this t | |
| Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). If for some reason this is not possible, reach out to [email protected]. | ||
|
|
||
|
|
||
| ## Vulnerability SLAs | ||
|
|
||
| Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are: | ||
|
|
||
| 1. 72 hours for vulnerabilities with a CVSS score of 9.0-10.0 | ||
| 2. 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9 | ||
|
|
||
| Any vulnerability with a score below 6.9 will be resolved when possible. | ||
|
|
||
|
|
||
| ## C2PA Vulnerabilities | ||
|
|
||
| That this library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported [here](https://github.com/c2pa-org/specifications/issues). | ||